[Bro] Bro on other Packet Trace Dumps.
Christoph Göldi
goeldich at ee.ethz.ch
Mon Mar 28 00:49:01 PST 2005
hi dana
tcpdump is also a binary format.
how did you catch your dump?
i mean when you catch it with tcpdump you get exactly what you described:
packet headers in binary.
cheers
christoph
--On Montag, 28. März 2005 18:35 +1000 Dana Zhang <berry1.0 at gmail.com>
wrote:
> hi Chris,
>
>> i'm not sure, but i think that tcpdump is the only format at the moment
>> which can be read by bro.
>> what format do you have? maybe there is a converter around...
>>
>
> The current format of my data is just packet headers in binary. I
> tried to convert to tcpdump format myself. can I confirm that tcpdump
> format for tcp commections is:
> src > dst: flags data-seqno ack window urgent options
>
> i'm only working with tcp packets.
> a couple of examples of my packets are as follows
> 10.0.0.163.1422 > 10.0.0.219.80: . 17193851:17193851(0) ack 1278587442
> win 8623 10.0.0.7.1202 > 10.0.0.8.25: P 22414518:22415922(1404) ack
> 20496183 win 8474 10.0.0.67.4945 > 10.0.0.66.80: S
> 2222637079:2222637079(0) win 32696 urg 0 10.0.0.11.26159 > 10.0.0.12.25:
> . 868560419:868561879(1460) ack
> 1691568355 win 61320
>
> However, when I run this file with bro using
>> bro -r dumpfile brolite
> I receive the error problem with trace file dumpfile - bad dump file
> format.
>
> Is there something I missed?
> Cheers,
> Dana
More information about the Bro
mailing list